Archive for the ‘Security’ Category

Firstly, many apologies for the lack of fotoLibra service over the past few days. The good news is that everything is now back up and running as it should be.

The problem was with our SSL Certificate. An SSL Certificate is a cryptographic protocol that provides security over a computer network. Websites use SSLs to secure communications between their servers and web browsers. Without a valid SSL Certificate you wouldn’t be able to access a website — unless you ignored a string of increasingly dire warnings.

We have automatically renewed our SSL Certificate every two years for the past fourteen years. This year we paid for the renewal on August 25th. Unfortunately our service provider 123-Reg changed their certifying authority from Globalsign to an American company, without notifying us. An email from this unknown new company, Starfield Technologies, demanding sensitive corporate data, went straight into trash.

When we eventually checked with our service provider we were told the email wasn’t spam, it was actually from a legitimate company, despite its very iffy write-up in Wikipedia. In order to verify our SSL Certificate Starfield demanded from us a letter of attestation signed by a lawyer, and an invoice from an outside supplier verifying our telephone number.

How many invoices do you get with YOUR telephone number printed on them? Right — just one, if any; from your phone supplier; BT in our case.

The American company rejected the bill from BT because they had made it out to VisCon Pro Ltd, not to fotoLibra’s holding company VisConPro Ltd. An errant space was sufficient for disqualification.

They rejected our letter of attestation because it was signed by a solicitor, not a lawyer. Americans, eh?

They were not at all interested in the fact that all our corporate data is freely available from Companies House, presumably because Companies House is not yet totally under American control.

Because these verification letters did not meet their demands, this foreign company had the ability to pull the plug on our certification. And so they did. Despite their failure to comprehend our valid credentials, they ensured we were unable to trade for five days.

Do we get recompense? Maybe, if we had phalanxes of highly trained American lawyers. But we don’t.

So once again, please accept our apologies for this downtime. I hope it won’t happen again.

Paying by bank transfer is much easier than paying by cheque, which is why so many companies now include their bank details — account number and sort code — on their invoices.

That’s reasonable when the recipient is a private individual or another company. It’s not so good when they are published on the fifth biggest website in the country.

To illustrate an article “Bank cheques to be cleared within a day” on their website last Wednesday the BBC used a photograph of a handwritten HSBC cheque, clearly showing a company’s account number and sort code details.

The trouble was they were ours — fotoLibra.com’s.

This was a cheque we’d paid to one of our contributors in 2012, and to add aggravation to outrage she photographed it and uploaded it to Getty Images, who then sold it to the BBC, complete with our clearly visible bank details.

A photograph of a fotoLibra contributor’s cheque, sold to the BBC by Getty. We have blurred out our bank sort code and account number

James Cliffe, HSBC’s Head of Business Banking, is no call centre drudge and he took the issue sufficiently seriously to call me direct. HSBC had seen the article shortly after it appeared and immediately called the BBC to complain. The photograph was replaced within the hour.

The replacement photograph

An account number and sort code is all an unscrupulous individual needs to set up a standing order or direct debit, as Jeremy Clarkson found to his cost when he published his bank details in the belief they only worked one way. He found he was suddenly paying out a £500 direct debit to the charity Diabetes UK.

Clarkson revealed his account numbers after rubbishing the furore over the theft of 25 million people’s personal details. He wanted to prove the story was a fuss about nothing. “The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” sighed Clarkson. “I was wrong and I have been punished for my mistake.”

We hold the BBC and Getty Images equally responsible. We expect they know (Getty, that is) they’ve done wrong because there’s no trace of that image on their website today.

Well, that might be pushing it a bit, but I’ve always wanted to write a headline like that.

We take care to vet every image uploaded to fotoLibra. The first hurdle of course is quality; images must have a minimum pixel dimension of 1750 and a resolution of 300 ppi. (PPI and DPI deniers — I know your arguments, but the majority of fotoLibra sales are for print use and they need to be 300 dpi). If you read this blog about PPI/DPI you’ll see that one of the reasons we demand 300 ppi is to prevent porn being uploaded.

We hadn’t thought of drugs.

Someone I’ll call Eugene had. He appears to be from the Ukraine, but that’s easy to mask. What he did was very simple and (I’m reluctant to say it) quite clever. He simply uploaded photographs of drugs to fotoLibra and offered them for sale. In the Image Description field he wrote “Ve vant to build strong lasting relationship mit customers like you” and followed it with a Skype contact.

Ingenious. Had the images remained on fotoLibra they would very quickly have been picked up by search engines (all our keywords are indexed so search engines can crawl and find them easily) and anyone searching for, say, Hygetropin on the web would have been able to find it nicely displayed on the squeaky clean fotoLibra site together with handy details of how to purchase it.

We spotted the images within an hour of upload. Not much discussion was needed. We simply deleted them.

Yvonne (and if you’ve had dealings with Yvonne, you’ll know she makes Jacqui Norman look like a pussycat) wrote to our hopeful new member:

Hello Eugene

fotoLibra is a professional picture library selling image usage rights to publishers, advertising agencies and so on. We are not a shop window for online drugs’ salesmen; we have therefore removed the images from your portfolio and cancelled your membership.

Many cameras and smartphones now come equipped with a GPS sensor which broadcasts the precise location of the device. A brilliantly conceived piece of work, and useful in all sorts of ways.

Except one.

If you use your GPS-enabled camera to shoot wildlife — you could be helping poachers to shoot wildlife.

All they have to do is check the EXIF data in your image and they’ll see the precise coördinates of the camera when the photograph was taken. Then they pitch up at the site, and shortly afterwards the last remaining black rhino will wander past. Bang.

At fotoLibra we don’t like this. So we’ve made the decision to strip the GPS data from every wildlife photograph in our library.

That’s 13,878 images which poachers won’t be able to use to track down and slaughter animals.

Last Saturday I went to Lord’s to watch the third day of the England New Zealand test match, which was neatly wrapped up by England on the following day. Well played, Broady!

I was sitting with three old friends, and one of them — let’s call him David, as he values his privacy — told me this astounding story of how he had been scammed out of some £4,000. David is an intelligent and sophisticated man, a successful corporate advisor and business planning consultant. He is nobody’s fool. This, in his own words, is what happened to him:

I was sitting at my desk in London on the evening of Thursday, 9th May, when my telephone rang. A man introduced himself as DCI Harris from Holborn Police Station. He gave his number as EK 457. He said that two Eastern European men had just been apprehended on the suspicion of credit card fraud. They had details of various people that they might have been targeting and I was one of them. He gave me an incident/crime number (No. 29121575665) and advised me to get in touch with my credit card company and have a block put on my account(s).

I rang off and then looked at the back of my Barclaycard Visa debit card for the Barclaycard Customer Services contact number. I dialled the number and got through to a Customer Services lady (who later said that her name was Louise White) and I told her about DCI Harris’ advice. She took the details of my Barclaycard debit card and then proceeded to ask me some questions to verify that I was who I said I was. Among these questions were my date of birth and my mother’s maiden name. She also asked me to give details of a direct debit on my account, including the payee, the amount paid and the time of month that it was paid.

She appeared satisfied about my identity and then asked when I had last used the card. I said that I had withdrawn £100 from a bank in Essex on the previous day. She said that she could see that transaction, but she then mentioned four further transactions that had taken place that evening near to Oxford Circus. I said that these certainly were not my transactions. She said that my card must have been compromised.

She then said she was going off to see if she could get hold of DCI Harris to see if these might be transactions carried out by his suspects. She said that it was important that I stayed on the ‘phone while she did this, so that she was sure of my whereabouts. She returned a little while later to say that the police thought that they might have a suspect who was actually using a card with my number on it. He was later reported to have got away.

She then asked if I had any other credit or debit cards. I said that I had a Barclaycard Visa credit card and a Barclaycard Mastercard credit card. She asked for details of these cards and she looked up the activities on them. She read out a list of recent transactions on them and these were in the West End that evening. I said that none of them were anything to do with me. She asked me if there was anyone in my household who could have copied my cards. I said that there was only me, my cleaning lady and my brother, who had stayed overnight recently, and I was sure that they wouldn’t have done anything.

She then said that she must speak to her boss and again said that I must stay on the line while she was away, emphasising that I might be considered to be a suspect in a fraud. She came back to say that a special team in Surrey was working on this sort of fraud and they wished to have my cards to examine and contrast them with some counterfeit ones. They were going to send a courier to collect them. She would therefore put a block on my cards and would then ask me to put them in a sealed envelope for collection – it was important that only my recent fingerprints were on them.

She then went through the process of putting a block on each of the cards – this ended with me having to tap my pin number on to my telephone keypad. During the time that the courier was coming up from Surrey, she asked if I had any other credit cards and I said that I had an American Express card. She said that she would be able to ask American Express if there had been any recent activity on that card. I therefore gave her the card number and she came back with a list of very recent transactions. These had nothing to do with me. She therefore advised me to put a block on this card as well and went through the same procedure. She suggested that this should also be sent to the Surrey experts.

There then followed a period during which the courier was coming up from Surrey. While we were waiting, the Barclaycard lady said that she needed to write a report on this whole event for her boss. She asked me which phases I could remember and we constructed a report together. The courier then arrived in uniform, collected the envelope of cards and left. I didn’t get a view of any vehicle.

The Barclaycard lady wanted me to stay on line in case there were any further queries. I inadvertently dropped the receiver a short time later and was planning to ring the lady back, but couldn’t find her number. Without her pressure, I was able to think what I had done and realised that there could well be a scam here (although I had never doubted the ‘Barclaycard’ lady during our conversations). I thought that I would go down to Notting Hill police station and ask whether DCI Harris existed. They were very busy with other things at the station, but they took time to tell me that I was undoubtedly the victim of a scam and lent me their telephone to call the real Barclaycard. My respondent there confirmed that money had been withdrawn from each of my Barclaycard accounts in the last hour or two. I then realised that I had been completely hoodwinked.

I now realise that the key element in the scam was my telephone. When I rang off initially, the ‘policeman’ stayed on the line and the scammers were able to create a dialling code when I lifted my receiver and appeared to get through to the ‘Barclaycard’ lady. She kept my attention and confidence very cleverly throughout the rest of a very long conversation.

If you get a call like this, call your card company on a different phone, as per the last paragraph. If this can happen to David, then it can happen to any one of us. Fraudsters used to be relatively easy to spot — Dere valued Natwest customer pliz give me yore pin numbre now, yours in the Lord — but now they are getting smarter than us. David got his money back from the banks, of course, although American Express seem to be reluctant to settle. And the scammers have got away with £4,000 plus. And the banks will want to recover that somehow, so gradually they’ll get it back from us, in higher costs.

Once upon a time (early this morning, actually) there was a photographer who came across a lovely website called fotoLibra.

“Gosh,” he thought. “If I sign up I can upload my pictures to fotoLibra and if they sell I’ll make some money.” So he uploaded two pictures for nothing.

This very same morning a nice lady in New York found the same lovely website.

“Gee willikins,” she thought. “I’ll sign up, and what I’d like to do tonight is buy a photograph of some guitar strings, for 5000 corporate CDs in Europe.”

Within minutes another nice lady in Pennsylvania also discovered fotoLibra and signed up. “Now, let me see,” she mused, “I think tonight I’ll have a photo of some guitar strings on my commercial internet site for a year. Ah! Here we are! The very thing!”

And both ladies, by fortunate happenstance, had hit upon the same photograph, uploaded by our lucky new member in Indonesia only moments before.

What joy! Two satisfied customers and one happy photographer! And they all signed up within 30 minutes of each other! The picture was uploaded and sold twice before it had been online for half an hour. Job done by fotoLibra!

But then, far away on the other side of the world, a new day dawned, and deep in her feculent pit the great JACQUI NORMAN stirred. She pointed one terrible eye at the computer screen and in an instant spotted the improbability of such transactions.

“FF RR AA UU DD !!” she bellowed slowly and heavily, shaking the sere and devastated land around her lair.

As I write, there is no happy ending. The money — a fair amount, paid by credit card — will be deposited in the fotoLibra account by close of play tomorrow. In 30 days we have to pay the photographer.

And in four or five months HSBC will slowly realise there has been a fraudulent transaction and will remove the entire amount from our account without informing us first.

So maybe we won’t be paying this gentleman from Indonesia in 30 days. We’ll just hold on to the money for a little while, and see what happens.

We have come across websites which are using fotoLibra images without paying for them. They are using watermarked Preview images, which anyone is at liberty to drag off the site, but not for commercial use.

I’ve borrowed the following piece in its entirety from Jacqui Norman’s May fotoLibra Newsletter because I think an important function of a picture library is not only to sell but also to guard and protect our photographers’ assets, and if we come across any unauthorised image usage it is our duty to harry and beset the perpetrators as best we can. In Britain we have the Small Claims Court which we will unhesitatingly use — overseas it’s more difficult, but there are ways and means — one of which Jacqui proposes at the end of her article.

The benefit for fotoLibra photographers is that a complaint from a company will usually carry more weight then a complaint from an individual. A company is generally perceived to have deeper pockets and better legal support than most individuals, and will usually be prepared to pursue trivial debts which a sole person may not be able to afford, in time or money.

We’re mainly talking here about image sales in the region of £25 / $40. This is not going to rescue Greece’s economy, but if our photographers are losing money through illegal usage, then so are we. We are going to do something about it — but you have to help us by following this procedure. Over to Jacqui:

fotoLibra Member Bob Crook alerted us when he found one of his images with a large fotoLibra watermark being used on somebody’s blog. He asked if we’d made the sale, and we hadn’t — the thief had simply stolen the lo-res watermarked Preview and posted it on her blog.

But Do Not Panic. Your original images are safe. They cannot be downloaded from the fotoLibra site without our knowledge. But anyone can drag Thumbnails and Previews off any website, which is why in our case they are protected with embedded metadata and, in the case of Previews, with embedded watermarks too. We don’t mind students using such images for free in dissertations and essays. If they want to use an unwatermarked version they have to pay, which of course outrages them because they think everything on the internet should be free.

If it’s not for student use, we charge. But how do you track down unauthorised usage of your images?

Here’s how Bob does it, slightly adapted to suit all fotoLibra members:

Open Google Images in one browser.In another browser, go to your Portfolio in the fotoLibra Control Centre. Choose one of your images. Double click to enlarge it into a watermarked Preview image.Highlight the image, and slide it onto the bar on the Google page.It will take only a few seconds to search.When it has finished you will see the image at the top of the page and a list underneath of where it is being used.

It also attempts to show you similar images by matching the colours. Sometimes this is impressive. Sometimes it makes you realise how alien a computer’s “intelligence” can be.

If you have some curiosity and spare time, please check through some of your images this way. If you do find evidence that one or more of your images is being used without your knowledge or consent, this is what we want you to do: Email me [that’s jacqui (dot) norman (at) fotoLibra (dot) com] with a) the FOT number of your image, and b) the precise, full URL of where you saw that image being used.

We will contact the abusers and demand payment on your behalf. We can never guarantee success, particularly in overseas jurisdictions, but we can certainly frighten them, and we can name and shame them.

In fact — here’s a thought — if people don’t pay up, I might publish a regular Cheat List, where we can publicise URLs where any unpaid for fotoLibra Preview images appear, and fotoLibra members and friends can then comment on the probity and honesty (or otherwise) of the offending sites. What do you think?

Well Jacqui, I think it’s a good idea. Not a great one, because at heart I’m not confrontational, but if I sit down and think about this I can work myself up into quite a state of indignation. These people — I don’t know how many of them there are — are thieves. Bob Crook has found two, and checking through ten of my underwhelming images I have already found two which are currently being used illegally. That’s 20%. Admittedly I did choose ten images I thought might lend themselves most readily to theft. Tineye is another good way of uncovering shady image use.

I’m happy to name and shame any site which uses a fotoLibra watermarked image without permission. However I won’t rush straight in whirling my bat around my head because I’ve stepped up to the plate for young Bob before, when he claimed some publisher had used a fotoLibra image without permission. We investigated and discovered the image had been uploaded to fotoLibra three weeks after the book had been published — Bob had sold it through another picture library and had forgotten all about it. We had our ears torn off by a slider from the publisher and I don’t think we’ll be selling them any images for a while.

We’re busy with our final preparations for fotoFringe London 2012, the picture buyers’ fair which is being held tomorrow in King’s Place, a newish office block and conference centre where The Guardian have their offices, near King’s Cross.

And it’s an article in The Guardian that I want to write about. A friend in Euskadi alerted me to this one (thank you Peta) because it’s one of my favourite topics — the freedom of photographers to use their cameras.

Stonehenge, Trafalgar Square, National Trust properties, a whole bunch of places in the USA — the list of places where photography is banned or restricted lengthens daily. Now, unsurprisingly, we can add the Olympic park in East London to the list.

I’ll never get to see this place because all my ticket applications have proved unsuccessful. However I am permitted to contribute substantially towards it through a hike in my London rates over the next ten years. So I’d like to see some pictures of it.

The Olympic venues are technically private property (purchased using our money, but when did that ever restrain our dear leaders?) so control can be asserted over what can and can’t be photographed within the precincts. But not on the public spaces surrounding the venue, of course.

The Guardian thought this could be interesting, so they sent a couple of photographers and a video to test the temperature of the waters. They struck lucky straight away when they ran into an incompetently and incompletely briefed security guard whose debating skills and command of English were no match for the fiercely well prepared Guardian hacks. He simply attempted to stop them filming in a public place. They refused. Reinforcements arrived.

And here — well, you know I’m on the side of the photographers, but this was outright provocation and harassment. The Guardian hacks were milling around, pushing for a reaction. But they came up against an intelligent, articulate and reasonable security supervisor who conceded they had a right to photograph on public land but as this was a sensitive area — the Olympic Park’s security centre — it would be most awfully kind of them if they could possibly desist.

The Guardianistas hectored and interrupted. They tried to photograph the armband name badge of an old fart security guard who looked worryingly like me, and he tore it off to prevent them. Bad move. The hacks loved it.

I want photographers to be able to photograph what they want when they want where they want, within reason and without causing offence, upset or danger. Yes, there are security concerns. Yes, there are privacy issues. I’m less impressed by the “we own it, therefore we should profit from it” brigade. I personally find papparazzis distasteful, and I believe they were the major contributing factor in the death of Princess Diana.

Our cause isn’t helped by photographers manufacturing an incident where none existed. But every movement needs an obnoxious vanguard.

Having been ripped off by a Nigerian scammer (details here) we asked our local MP Elfyn Llwyd (Plaid Cymru) if there was anything he could do to help.

He was as outraged as we were that the issuing bank knew of the fraud two months before coming to HSBC and demanding that $800 be removed from the fotoLibra account, by which time of course we had disbursed the money. He said he would write to the Chairman of HSBC.

Which he did. He received a reply from David Lewis, Head of HSBC Customer Relations, absolving the bank of any responsibility and arguing that it was fotoLibra’s fault for accepting ‘cardholder not present’ transactions. This amazing statement ignores the fact that 10.7% of all retail sales* are now made via the internet, every one of which is a ‘cardholder not present’ transaction.

Mr. Lewis concluded

There are some steps the merchant/retailer can take to minimise the possibility of fraud, for example asking for the numbers in the post code of the card holder and only delivering to that address (as fraudsters often ask for the goods to be sent to another address other than that of the registered cardholder).

That might have been relevant if fotoLibra delivered boxed goods to physical locations. But we don’t. We permit the download of digital images to an email address. There’s no connection to any part of the credit card.

Maybe a credit card could be linked to a fixed email address which would form part of the verification process? No, that’s probably far too simple. Isn’t it?

We are most grateful to Mr Llwyd for his concern and his response. That’s exactly what MPs are for. Full marks.

*Office for National Statistics, February 2012

The perceived risk of buying and selling using a credit card on the internet was the biggest single barrier to the growth of the World Wide Web.

In the eighteen years since I launched my first web site, that fear has largely been allayed. Internet users who now won’t buy with credit cards are a tiny minority. If your card is compromised in any way, the banks and card companies will refund your money and issue a new card.

But what protection is there for the merchants? The punter must be recompensed — but the financial organisations aren’t going to be the ones who lose. Someone has to pay. It’s going to be the merchants.

Here’s the Dramatis Personae of our little play:

Innocent Punter

Evil Fraudster

Innocent Merchant

Innocent Photographers

Innocent Credit Card Company

Innocent Bank

This is what happened to us. On Nov 17 Evil Fraudster used Innocent Punter’s credit card details to buy six images — over $800 worth — from us, the Innocent Merchant, and download them to Innocent Punter’s apparent email address.

On Nov 25 Innocent Punter signed an affidavit to say his card had been used in a fraudulent transaction, i.e. the purchase of $800 worth of images from fotoLibra. Innocent Merchant isn’t told of this, either by the bank or the credit card company. All we know is that $800 has been paid into our account and the images have been downloaded.

The $800 payment appears on our next bank statement. Christmas intervenes, and we make all the payments to our photographers on Jan 21. The $800 payment is still visible in our bank statements.

This morning, Jan 31, we receive a letter through the post from the bank telling us there has been a fraudulent transaction involving a credit card payment on Nov 17 and they are removing the $800 to pay for it. So the status quo of the Dramatis Personae is now as follows:

Innocent Punter — unscathed

Evil Fraudster — 6 digital images the richer

Innocent Merchant – $800 poorer

Innocent Photographers – $400 richer

Innocent Credit Card Company – unscathed

Innocent Bank – unscathed

My questions are

Who benefits from this fraud? Evil Fraudster gets 6 images (which haven’t been used as far as we can tell). Innocent Photographers get $400. Assuming the photographers aren’t linked to Evil Fraudster, they’re doing better than he is.

We pay the credit card companies substantial annual fees for the privilege of using their service. If they authorise a payment, we have to take their word for it. We cannot check every individual credit card transaction ourselves — that’s what we pay them to do.

So why is Innocent Merchant the only loser in this scenario? If the bank and the card company says ‘Here’s the money — spend it wisely’, how come they can snatch it back nearly three months after they’ve given it to us?

Most importantly, if the fraudulent transaction was reported on Nov 25, why weren’t we informed till Jan 31? That is OUTRAGEOUS.

Damien our IT guru has traced the route the transaction has taken. Unsurprisingly it trails back to those bastard Nigerians again. They’re not doing their country any favours at all. Could anyone ever trust a Nigerian nowadays?

Obviously the villain of the piece is the rogue Nigerian, but I fail to see how he can benefit from the scam. Can anyone enlighten me?

The end result is that we’ll just have to wait longer paying photographers after making a credit card sale from someone we haven’t dealt with before. 99% of credit card sales made through fotoLibra are perfectly legit. In fact, this is only the second one that’s gone wrong. The first one was such a blatant blag that even I could see through it — someone in Brazil signed up as a photographer and uploaded 4 photographs. The following day someone else from Brazil signed up as a buyer and bought the four images for £2,000. We then should have paid the Brazilian photographer £1,000. But we had our suspicions. We waited. And the bank claimed back the money after three months. We were not compensated.